I agree that cases involving harming people are exceptional ones for which both quitting in protest and whistleblowing should be on the table, but again, those are exceptional circumstances
an analogy in ITSEC would be knowledge of an actual (not potential) ongoing user data exfiltration and hiding knowledge of that
most ITSEC scenarios are not this, but rather a failure to explain why the potential loss of doing nothing is worse than the actual loss of doing something, just like a CRO must explain why the potential loss of not entering a market is worse than the cost of entering it
an analogy in ITSEC would be knowledge of an actual (not potential) ongoing user data exfiltration and hiding knowledge of that
most ITSEC scenarios are not this, but rather a failure to explain why the potential loss of doing nothing is worse than the actual loss of doing something, just like a CRO must explain why the potential loss of not entering a market is worse than the cost of entering it